HPE Community
Operating System - HP-UX
1820484 Members
2133 Online
109624 Solutions
New Discussion

Re: password encryption

 
SOLVED
Go to solution
tempsample
Frequent Advisor

‎06-20-2013 06:12 AM

‎06-20-2013 06:12 AM

password encryption

I was successfull in encrypting the password in v3 using

 

/usr/sbin/usermod -p $(perl -e"print crypt('user1123','xxxxxxxx')") -F testid19

 

but -p option is available only in HP-UX 11 i v3.

 

but i have to change user password in HP-UX 11i v1 and v2.

 

Is there any option ???

0 Kudos
Reply
15 REPLIES 15
Patrick Wallek
Honored Contributor

‎06-20-2013 06:29 AM

‎06-20-2013 06:29 AM

Re: password encryption

On HP-UX 11.11 and 11.23 try using the /usr/sam/lbin/usermod.sam command.

 

The syntax is a bit different, but it will still work.

 

# ./usermod.sam -?
Unrecognized Option '?'
Usage: usermod.sam [-p <passwd> [-u <uid> [-o]] [-g <group> [-G <group>[,<group...> [-d <dir> [-m]] [-s <shell>] [-c <comment>] [-f <inactive>] [-e <expire>] [-l <new logname>] <login>

 

Where the '-p <passwd>' is the encrypted password.  For example:

 

# /usr/sam/lbin/usermod.sam -p abc123 pwallek

 

# cat /tcb/files/auth/p/pwallek
pwallek:u_name=pwallek:u_id#122:\
:u_pwd=abc123:\
:u_auditid#48:\
:u_auditflag#1:\
:u_succhg#1364840922:u_suclog#1364840930:u_suctty=pts/ta:u_unsuclog#1364840900:\
:u_unsuctty=pts/ta:u_lock@:chkent:

 

And notice that my encrypted password is now abc123.

 

 

Reply
tempsample
Frequent Advisor

‎06-20-2013 06:37 AM

‎06-20-2013 06:37 AM

Re: password encryption

HI

 

 

I have tried using below and successfull,but i am not sure what is the use of 66 in password.

 

#export user=testuser
# export pass=testuser66
# /usr/sam/lbin/usermod.sam -p `echo $pass | /usr/lbin/makekey` $user

 

without using 66 in passowrd, I am not successful..

 

what is the use of 66 ?

0 Kudos
Reply
tempsample
Frequent Advisor

‎06-20-2013 06:39 AM

‎06-20-2013 06:39 AM

Re: password encryption

Hi

 

/usr/sam/lbin/usermod.sam -p abc123 pwallek

 

but when i tried above option, the password is not getting encrypted and when i check the status with passwd -s username,still user account is locked.

 

I am not using trusted system.

0 Kudos
Reply
tempsample
Frequent Advisor

‎06-20-2013 06:46 AM

‎06-20-2013 06:46 AM

Re: password encryption

Hi

 

 

#/usr/sam/lbin/usermod.sam -p abc123 testuser
# passwd -s testuser

testuser  LK    06/20/13    0  91

 

 

password status is still locked.

 

I am not able to login.

0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎06-20-2013 06:59 AM

‎06-20-2013 06:59 AM

Re: password encryption

In my post above, I said -- Where the '-p <passwd>' is the encrypted password.

 

You have to pass the encrypted password to the command.  This command does NOT encrypt the password for you.

 

My example with my id was to show that the string passed to the '-p' option would show up EXACTLY the same in the password field which means NO encryption is done. 

Reply
tempsample
Frequent Advisor

‎06-20-2013 09:42 PM

‎06-20-2013 09:42 PM

Re: password encryption

# /usr/sam/lbin/usermod.sam -p `echo ABcd@123466 | /usr/lbin/makekey` testuser

 

what is the use of 66 in password filed.

 

 

when i leave out 66,i am not successful .

 

and when i use 66 in password field ,i am successful and the password set is ABcd@1234

 

but 66 is not taken in to password filed.

 

what is the reason.

 

 

 

 

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎06-21-2013 12:43 AM

‎06-21-2013 12:43 AM

Re: password encryption (makekey)

>echo ABcd@123466 | /usr/lbin/makekey

 

makekey(1) says the first 8 chars are the password and the next two are the salt.

Reply
tempsample
Frequent Advisor

‎06-21-2013 01:26 AM

‎06-21-2013 01:26 AM

Re: password encryption (makekey)

HI Dennis,

 

 

I do read the man page .. Thanks for info.

 

but My problem is ,, I am trying to change the password by script.

 

USERNAME=$1
PASSWD=$2

echo "------------------------------------------------------------" >> ${PWD2LOG}
echo "Start : `date +\"%Y/%m/%d %H:%M:%S\"` \n" >> ${PWD2LOG}

WORKDAY=`date +%Y%m%d`

echo "User : ${USERNAME}   Pass : ${PASSWD}\n" >> ${PWD2LOG}
#echo $USERNAME
#echo $PASSWD
#sleep 5
if [ "${USERNAME}" != "" ];then
if [ "${PASSWD}" != "" ];then

echo "Crypting the given password"  >> ${PWD2LOG}

#/usr/sbin/usermod -p $(perl -e"print crypt('$PASSWD','xxxxxxxx')") -F $USERNAME


/usr/sam/lbin/usermod.sam -p `echo $PASSWDlb | /usr/lbin/makekey` $USERNAME

 

if [ $? != 0 ];then
echo "\nERROR. PASSWD change faild" >> ${PWD2LOG}
echo "return 1" >> ${PWD2LOG}
RTNCODE=1
echo  "`hostname`: ERROR. PASSWD change failed"
else
echo  "\n Passwd Set OK." >> ${PWD2LOG}
echo "return 0" >> ${PWD2LOG}
#RTNCODE=0
echo  "`hostname`: Passwd Set OK." >> ${PWD2LOG}
RTNCODE=0
#echo "0"
fi
else
echo  "\nERROR.  PASSWD param not set" >> ${PWD2LOG}
echo "return 1" >> ${PWD2LOG}
RTNCODE=1
echo  "`hostname`: ERROR. PASSWD param not set"
fi
else
echo "\nERROR. USER param not set" >> ${PWD2LOG}
 echo "return 1" >> ${PWD2LOG}
    RTNCODE=1
      echo "`hostname`: ERROR. USER param not set"
      fi
      echo "\n End  : `date +\"%Y/%m/%d %H:%M:%S\"`" >> ${PWD2LOG}
echo "------------------------------------------------------------" >> ${PWD2LOG}
exit 0

 

 

in /usr/sam/lbin/usermod.sam -p `echo $PASSWDlb | /usr/lbin/makekey` $USERNAME

 

when I am executing it manually, I am sucessfull and account is able to log in the server.

 

but when i am trying to use it across script,account is still locked.

 

since i guess there is some mistake in exporting the password filelds .

 

any suggestion to fix the issue.

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎06-21-2013 01:38 AM

‎06-21-2013 01:38 AM

Re: password encryption

The traditional crypt(3C) Unix password encryption (= what the makekey command does) is technically known as a type of "salted hash".

 

The "salt" is a value used to modify the encryption process, to make it harder to reverse. The salt should usually be chosen randomly when the password is encrypted for storage.


The crypt(3C) algorithm takes a maximum of 8 characters as a password + 2 characters of salt.

So in your example, the password will be "ABcd@123", the salt will be "46" and the extra "6" at the end will simply be ignored.

(You could have replaced the "66" in your example with just "6" and still would have got the same result. The makekey command wants exactly 10 characters: if it gets less than that, it will fail. If it gets more than that, it gets the first 10 and ignores the rest.)

 

For each different salt value, the password will be encrypted in a different way. So it will be hard to confirm if someone else has the same password as you by simply comparing the encrypted passwords: if that other person has a different salt value, then the encryption result will be totally different, even if the actual password is the same.


Since the crypt(3C)-style password encryption is not effectively reversible, the password cannot be decrypted for checking. Instead, when the user enters his/her password into the password prompt at login, the user-entered password will also be encrypted, and then the encryption result will be compared with the stored encrypted password. But to make this comparision valid, the user-entered password must be encrypted using the same salt value as the stored password.

To make this possible, the salt must be stored unencrypted: it will be the first two characters in the encrypted password field.

 

I don't have a HP-UX system available at the moment, so I don't have the "makekey" command. But modern versions of OpenSSL also have a password encryption function, which handles several well-known password algorithms, including crypt(3C):

 

$ openssl passwd -crypt -salt 46 ABcd@123
46Qtr3Dtgy0u6

I think this is exactly the same as the value you got from the "makekey" command in your example, right?

As you can see, the salt appears unencrypted at the beginning of the encrypted result. This command makes it more obvious, as the salt must be entered using a separate option.

 

If the -salt option is not used, the "openssl passwd" command will choose the salt value randomly, so the encryption result will be different each time:

$ openssl passwd -crypt ABcd@123
S3oA559In3qHE
$ openssl passwd -crypt ABcd@123
4e.6PnvMJGuHo
$ openssl passwd -crypt ABcd@123
7S/umCxP4JdhM

 

 

MK
Reply
tempsample
Frequent Advisor

‎06-21-2013 03:20 AM

‎06-21-2013 03:20 AM

Re: password encryption

Hi Matti,

 

 

Thanks for the suggestion.

 

I do understand your point,but i want to set the username and password to be same.

 

if i am going to create 10 users and for all 10 users username will be password.

 

from the above script,I cant't export the value for password filed that is $PASSWD.

 

to make user active i have to use salt value to password that is $PASSWD66,but i am not able to export the password filed.

 

in v3,I dont have any problem,

 

/usr/sbin/usermod -p $(perl -e"print crypt('$PASSWD','xxxxxxxx')") -F $USERNAME

 

but in v2,

 

/usr/sam/lbin/usermod.sam -p `echo $PASSWDlb | /usr/lbin/makekey` $USERNAME

 

in password filed,I have included $PASSWDlb,but in script i have exported as PASSWD,so it is not matching.

 

is there any solition to fix it ??

0 Kudos
Reply
tempsample
Frequent Advisor

‎06-21-2013 03:52 AM

‎06-21-2013 03:52 AM

Re: password encryption

adding one more to the previous post :

 

/usr/sam/lbin/usermod.sam -p `echo ABcd1234lb | /usr/lbin/makekey` $USERNAME

 

currently i am setting ABcd1234 as password to all user,but i want to set username as password for all users .

 

 

 

 

0 Kudos
Reply
tempsample
Frequent Advisor

‎06-21-2013 07:12 AM

‎06-21-2013 07:12 AM

Re: password encryption

Can any one has idea to crypt the password ?

 

so that I can match to my script that i posted above in previous post

0 Kudos
Reply
tempsample
Frequent Advisor

‎06-21-2013 07:14 AM

‎06-21-2013 07:14 AM

Re: password encryption

i found the previous post posted by JRF under the subject name :Using Makekey and Usermod.sam

 

http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1252591

 

but i am not able to open it.

 

Can any one help me in opening the page.

0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎06-21-2013 08:41 AM

‎06-21-2013 08:41 AM

Solution

Re: password encryption

> /usr/sam/lbin/usermod.sam -p `echo $PASSWDlb | /usr/lbin/makekey` $USERNAME

 

The shell "thinks" you want to use the variable named PASSWDlb, not the variable named PASSWD.

 

Try this:

 

/usr/sam/lbin/usermod.sam -p `echo ${PASSWD}lb | /usr/lbin/makekey` $USERNAME

 

 

MK
Reply
Dennis Handly
Acclaimed Contributor

‎06-21-2013 04:16 PM - edited ‎06-21-2013 04:16 PM

‎06-21-2013 04:16 PM - edited ‎06-21-2013 04:16 PM

Re: password encryption

>I found the previous post posted by JRF under the subject name: Using Makekey and Usermod.sam

 

It helps if you provide the URL:

http://h30499.www3.hp.com/t5/System-Administration/Using-Makekey-and-Usermod-sam/td-p/4431217

 

>Can any one help me in opening the page.
 
That URL is the previous incarnation of the forums and is gone forever but the post is somewhere.
You could do a google search for JRF's posts and likely words:
makekey usermod.sam site:h30499.www3.hp.com
 
Some possible other topics:
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.